Say YES to Website Security
As the owner/operator of a Web-based business, website
security is, if not persistently top-of-mind, at least continually at
the back of it — or at least it should be. It’s time to get serious
about security and limiting your website’s digital vulnerabilities.
There have been numerous high-profile attacks
on ‘Net enterprises over the years, but they are
seemingly increasing in both quantity and severity.
In 2013 alone, companies including Apple,
Twitter, Facebook, Evernote, Tumblr, Burger
King, Jeep and The New York Times have been
hacked. If their website security measures were
lax, couldn’t yours be too?
E-commerce websites in particular (as well as
those enterprises that store user information such
as digital publishers) are, obviously, at the greatest
risk. While putting users’ personal information
in jeopardy is one problem (and a big one at
that) there’s also the little issue of reputation,
which, if you’ve spent any time at all in the realm
of Internet marketing, you know is fundamental
to Web success.
Last year (June 2012), Google reported that
12-14 million search queries per day returned
warnings that at least one of the results was compromised.
At the time, Google was finding nearly
9,500 new malicious websites every day.
The Website Security Basics
Anyone responsible for a website knows, or should know, the absolute basics of website security. Yet hackers still do what they do because enterprises somehow still fail to follow even the most basic recommendations for digital security.
Wordpress Security :: Secure your blog with these 10 WordPress security tips
One of the easiest ways to ensure your enterprise
website is not the victim of an attack is to insist
that deployed software is routinely updated to
ensure that the most recent version is running.
Hackers look for opportunities, exploits if you will,
and if it’s too difficult to crack your digital presence,
they will move on to the next potential victim.
Another rather significant threat stems from the
use of administrative passwords. If there were a way
to see passwords you might be surprised at how
very basic they are — even though we all know better.
In 2013, there’s no reason for key personnel to
be lax or lazy about choosing/remembering passwords
— particularly when it comes to sensitive
accounts. Select strong passwords at least 10 characters
in length and include letters, numbers and
special characters. Use different passwords for
email, control panels and FTP accounts and make
sure they are stored securely. Another method for
enterprises to consider is the use two-factor authentication,
which requires two types of evidence
from users that they are who they claim to be.
File permissions should also be an area of
focus for Internet professionals. Some applications
require permissions to be set at the open
‘777’ (read, write, execute for all — owners and
users) to install and then are not changed back to
‘755’ for folders or ‘644’ for files. Make sure to
follow the guidance for specific applications and
perform periodic audits to ensure files and folders
are not vulnerable.
Those are some of the basics — but only the
basics. There’s a lot more that goes into an operating
a secure website.
It’s not always a company’s employees (programmers,
designers, etc.) that are to blame for
security issues however — sometimes (not all the
time, though) you can point the digital finger directly
at the Web hosting service. Enterprises that
want or need more security for their customers’
personal data and want to ensure that applications
aren’t woefully exposed, should consider
moving immediately beyond shared hosting toward
Virtual Private Servers (VPS) hosting. A VPS
is, for the most part, more secure, as custom security
firewalls can be deployed and other security
measures, often disallowed by shared hosting
providers, can be installed. It’s akin to moving to
a safer neighborhood, perhaps a gated community.
Not that breaches can’t occur there, but
they’ll likely occur far less often and that’s reason
enough to make this suggestion a consideration.
Advanced Website Security
Enterprises with more to lose need to take additional
precautions to prevent or reduce the risk
that websites and internal systems are the targets
of an attack. Here’s a short list to keep in mind to
prevent some of the more malicious everyday
hacks from occurring:
SOFTWARE: Anti-virus software and intrusion
detection systems should always be incorporated
within an infrastructure. For example,
border routers should be configured to only
route traffic to and from a company’s public IP
address. Firewalls should be deployed which restrict
traffic only to and from the necessary
services. Intrusion detection and prevention
systems should be properly configured to monitor
for suspicious activity.
PATCH EXPLOITS: Recent Websense research
revealed that 74 percent of active computers
were still susceptible to Java exploits that were
discovered in 2012, and almost 94 percent were
susceptible to the latest patched Java exploits.
That’s just downright unacceptable. By patching
security holes quicker, potential server vulnerabilities
are reduced dramatically, particularly if
users have access to FTP.
BE PROACTIVE: Consider the use of a “honeypot,”
a computer software or device that exists
for the sole purpose to be attacked. Honeypots
essentially serve as early warning system, detecting
malicious activity from outsiders and insiders,
turning up exploits that some tools might
miss. Some of the best include Glastopf, Specter,
Chost USB and KFSensor.
Put an End to Digital Vulnerabilities
Website security is about protecting important virtual assets. The information shared here should serve as an opportunity to get your enterprise thinking about ways it might be vulnerable and the opportunities available to make your website a less attractive target. There are numerous factors that go into running a secure website. But take even these modest precautions and your business and its customers will be better off.
Website Security Checklist :: Ensure your enterprise is covering its digital bases by reviewing Website Magazine’s Quick Website Security Checklist.


Leave Your Comment
Login to CommentBecome a Member
Not already a part of our community?
Sign UpSign up to participate in the discussion. It's free and quick.